Security is hard enough to master in the traditional enterprise network. Now add all types of devices on the Internet of Things, great (think cars) and small (think webcams and baby monitors), which were never built with cyber security in mind.
Internet-connected devices run the gamut from SCADA systems to consumer products, and security weaknesses in these products have been under the glare of the spotlight the past year as researchers have publicized major flaws. Some of the affected industries got their first taste of white-hat hacking as vulnerabilities were revealed in cars, pacemakers, road traffic systems, home automation systems, and airplanes. The big shift: Public safety is now part of the equation with some of these products.
Many come with purpose-built features that actually equate to security flaws: intentional backdoors, hardcoded credentials, unencrypted data traffic, and critical systems sitting on the same network as noncritical ones. Even after highly publicized presentations at Black Hat USA and DEF CON last month, many remain unfixed and vulnerable.
Just how enterprises can manage the onslaught of connected devices will also be a big topic next month at Interop New York. Kent Shuart, network security product manager for Dell SonicWall, will present a session titled "Next Line of Defense: Internet of Things."
[Public safety may finally force Internet of Things manufacturers to start taking security seriously. Read Internet Of Things Security Reaches Tipping Point.]
So why not just patch or update IoT devices or build them more securely? There are some big-time challenges in securing these consumer and other embedded systems:
1. There's often no consistent or official software update process or mechanism.
Malware on a Windows machine eventually gets discovered, but Marc Maiffret, CTO at BeyondTrust, says there is little or no visibility into IoT devices. "Nobody has visibility into these devices or what is the authenticity of the firmware" if there's an update to them.
Since many of these devices run on Linux-based platforms, he suggests that their software be managed by the open systems community, which can handle vulnerability and security updates. An IP camera or an SAN storage system, for instance, should have a regular Linux update mechanism. "They should be opened up so they are truly treated as Linux OS. Allow me to SSH into it securely" and manage it like any other Linux OS, he says.
Chris LaPoint, vice president of product management at SolarWinds, says he has three home IP cameras that aren't running up-to-date firmware. It's unclear if they contain vulnerabilities. "Even the setup instruction for a lot of these devices, and the configuration of security controls around them, and patching… How does that get managed?"
2. Many consumer product and other nontraditional IT vendors have little or no understanding of the cyberthreats embedded in their systems.
There's a major disconnect between many of these embedded device manufacturers and the security community. Take the satellite terminal vendor community. Ruben Santamarta, a principal security consultant at IOActive, has found hardcoded passwords, backdoors, and insecure protocols in these devices that could allow attackers to hijack and disrupt communications links to ships, airplanes, and military operations. His findings were reported by the CERT Coordination Center to the vendors in January.
Fast forward to Black Hat USA, where Santamarta provided more details of his findings and revealed that the affected vendors have no plans to patch or fix the flaws he found. Some of the vendors contend that the issues aren't flaws, but necessary features in their products.
Santamarta's colleague Cesar Cerrudo, CTO at IOActive, had a similar experience when he found security holes in vehicle traffic control equipment. The manufacturers of the smart sensors he studied removed encryption from the devices after their customers requested it. Cerrudo says that without encryption, firmware can be spoofed, and malware can be installed.
Security industry efforts such as I Am the Cavalry and BuildItSecure.ly aim to bridge the gap between embedded device makers and white-hat hackers with help and outreach for better locking down of products.
3. There's often a lack of accountability for device security.
For many consumer devices, "there isn't a clear ownership on who owns the security," LaPoint says. "Device manufacturers say, 'We don't know.' They've hardly thought about it."
Some just post firmware updates on their websites, and it's up to the consumers or users to download and update the products. "Some come with obscure instructions, and that you have to do so with a USB cable," for example, he says. "I don't think the manufacturers are taking ownership" of securing their devices.
4. Many devices have been improperly configured or have purpose-built features that equate to security flaws.
Many of these devices run on the same network as IT systems. "How do these devices ultimately bridge to other things on my network?" LaPoint says. "If someone sees me in my underwear" via my webcam, that's not ideal. "But if they are able to gather personal information about me or other systems on my network… What other things can you do?"
The key is segmenting these consumer IP devices from data-sensitive systems on the network, he says.
The IoT is a challenge for the enterprise, but at least in corporate networks there are ways to add security policies once the devices are identified. "The volume of magnitude of these devices will be unlike anything we've ever seen. Assessment and the ability to understand what traffic is traversing the network, where it's coming from, and the ability to track and shut it down" are key for enterprises, LaPoint says.